Adidas warns U.S. online shoppers to be on alert after data breach

Adidas placed a warning to its online U.S. shoppers that their personal information may have been accessed during a suspected data breach last week. The footwear giant first became aware of the incident on June 26 and analysts are saying that millions of customers could be affected.

Adidas says its taking steps to alert consumers and working with a data security firm to investigate further.

"According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted," a statement read on the company's website.

Adidas is the latest brand to be hit with a breach in 2018. Other big names affected in the first half of the year include Under Armour and Best Buy.

Fred Kneip, CEO of CyberGRX said retail websites have become "a fertile hunting ground" for fraudsters to get their hands on customer data.

“Even when organizations do everything they can do safeguard their data, attackers have gotten very good at going through third parties to find a way in," he told FierceRetail. "Just this week we saw Ticketmaster breached through a vulnerability with a chatbot vendor, causing sensitive data to be leaked. The Under Armour attack earlier this year was executed through a vulnerability with its MyFitnessPal app."

Kneip added that no site is impenetrable today because so many third parties have access to retailer's networks. It only takes one vulnerability within any of those third parties to put sensitive data at risk.

Plus, as George Avetisov, CEO of HYPR, points out, the earlier Saks Fifth Avenue breach and now the Adidas breach share a commonality of the centralization of massive amounts of customer data—this includes payment and retail account login details, bank card numbers and more.

"This creates a large attack surface and an easy, single point of failure that hackers love. Retailers and payment service providers need to remove the target through decentralization, where customer data is stored on the customer’s mobile device," Avetisov said. "This removes the target and forces hackers to go from device to device to attempt obtaining even one set of credentials, which will ultimately deter them. If not, we can expect to see more of these retail breaches in 2018.”

Still, Rodney Joffe, senior VP and fellow at Neustar, says there are steps retailers can take to better protect themselves from hackers.

"Installing a Web Application Firewall (WAF) is crucial for preventing third parties like these from accessing a website and stealing customers’ sensitive and personal information," Rodney said. "And with legislation such as GDPR in play, it is as important as ever that a unified 24/7 Security Operation Center, including a user interface with real-time monitoring and reporting, is already in place."

If not, retailers run a risk of not only a breach, but a loss of trust by the consumer. And ultimately, as trust diminishes, so do the sales.

"To Adidas’ credit, they disclosed the breach quickly, because, as we’ve seen with other incidents, no breach stays secret for long, and the appearance of attempting to cover it up can further weaken consumer confidence in that brand," said Joe Stuntz, VP of cybersecurity at One World Identity.